Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 88904 - mail-filter/gld: Format String Flaws and Buffer Overflows
Summary: mail-filter/gld: Format String Flaws and Buffer Overflows
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High blocker (vote)
Assignee: Gentoo Security
URL: http://securitytracker.com/alerts/200...
Whiteboard: B0 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-12 15:25 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-04-13 05:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-04-12 15:25:14 UTC
Version(s): 1.3, 1.4
Description:  dong-hun you from INetCop Security reported several vulnerabilities in Gld. A remote user can obtain root privileges.

The 'server.c' file contaisn several buffer overflows. A remote user can supply specially crafted input to trigger a buffer overflow and execute arbitrary code.

The 'cnf.c' file contains several format string vulnerabilities, where user-supplied data is not properly validated and is passed to a syslog() call without the appropriate format string specifier. A remote user can supply specially crafted input to execute arbitrary code with root privileges.
Impact:  A remote user can execute arbitrary code with root privileges.

Solution:  No solution was available at the time of this entry.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-12 23:07:09 UTC
auditors and/or net-mail please advise.
Comment 2 rob holland (RETIRED) gentoo-dev 2005-04-13 02:12:38 UTC
despite the various "this is safe" comments in the source code, it hasn't been thought out so well.

perl -e 'print "request=" . ("x" x 2000) . "\n\n"' | nc localhost 2525

Overflow at: server.c:265

strcpy without proper length checks (despite comments in the code which say otherwise).

attacker decides what lands on the stack, so its easily exploitable.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 02:55:24 UTC
Has upstream been informed about this?
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 03:02:53 UTC
Bummer, cached page here. 1.5 is released today. 

net-mail please bump.
Comment 5 Andrej Kacian (RETIRED) gentoo-dev 2005-04-13 03:04:33 UTC
I'll do it.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 03:15:30 UTC
Default config IS affected -> upgrading severity.

net-mail please provide a better default than this:

#
# Shall we bind only to loopback ? (0=No,1=Yes) (default is 0)
#
LOOPBACKONLY=0

#
# The list of networks allowed to connect to us (default is everybody)
# The format is network/cidrmask,....
#
# Uncomment the line to activate it.
#
#CLIENTS=192.168.168.0/24 172.16.0.0/19 127.0.0.1/32
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 03:24:28 UTC
net-mail please also fix the default user. Right now the default config make it run with root privs:

#
# The user used to run gld (default value is no user change)
# uncomment the line to activate it.
#
#USER=nobody

#
# The group used to run gld (default value is no group change)
# uncomment the line to activate it.
#
#GROUP=nobody
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2005-04-13 03:30:42 UTC
Ebuild for 1.5 in portage, x86 stable.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 03:42:11 UTC
amd64 please test and mark stable ASAP.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 03:56:12 UTC
amd64 please cvs up if you're already started:

[12:56:33] <@Ticho> jaervosz: updated the gld ebuild, since it installed few files in wrong places
Comment 11 Andrej Kacian (RETIRED) gentoo-dev 2005-04-13 04:35:25 UTC
It seems to work just fine on a busy amd64 mailserver I admin. Marked stable on amd64.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 04:37:46 UTC
Thx everyone. This one is ready for glsa.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-13 05:23:06 UTC
GLSA 200504-10